New Delhi: The draft Encryption Policy released by the Department of Electronics and Information Technology (Deity) late last week drew flak from both the media and netizens, raising concerns over privacy and over-reach of the state. In view of the concerns, the government on Tuesday withdrew it and asked the Deity to redraft it.

What is Encryption?

Wikipedia defines encryption as the process of encoding messages or information in such a way that only authorised parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption key generated by an algorithm, which it turn generates a ciphertext that can only be read if decrypted. In principle, it is possible to decrypt the message without possessing the key, but for a well-designed encryption scheme, large computational resources and skill are required. An authorised recipient can easily decrypt the message with the key, but unauthorised interceptors can’t.

All messaging services like WhatsApp, Viber, Google Chat, Yahoo messenger use encrypted services. For instance, when a WhatsApp message is sent, it’s automatically encrypted or turned into scrambled text, which is then unscrambled for the recipient. This encryption happens automatically using keys at both ends of the conversation and users don’t play a role in this. Banks and e-commerce sites also use encryption to protect financial and private data including passwords.

How did encryption originate?

The Premable to the draft policy states that encryption technology was traditionally deployed most widely to protect the confidentiality of military and diplomatic communication. However, the revolution in Internet technology, proliferation of online apps for communication and subsequent increase in their usage, expanded the scope of encryption to e-commerce and e-governance civilian applications. This further led to the need to protect privacy and increase the security of the Internet and associated information systems and develop policies that favour the spread of encryption worldwide. The Information Technology Act 2000 provides for prescribing modes or methods for encryption (Section 84A) and for decryption (Section 69).

What was the draft encryption policy?

According to the terms of the new draft encryption policy, “user shall reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. All information shall be stored by the concerned B/C (business/citizen) entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country."

This means that users would need to keep a record, till 90 days, of messages shared on social media and messaging services since these are encrypted. For companies that store private data it would mean storing passwords in plain text, which means private and confidential data will remain unencrypted and hence vulnerable for 90 days. This defeats the purpose of encryption which is to protect the confidentiality and integrity of information in transit and storage.

What were the concerns raised?

The biggest concern of this new policy is around the fact that users and organizations would “on demand" need to store all communication in plain text for 90 days from the date of transaction and make it available to law enforcement agencies in line with the provisions of the laws of the country. According to Medianama founder and volunteer for ‘Save The Internet’ forum Nikhil Pahwa, at least 99.99% users in India do not know the meaning of plain text and in such a case they can be held liable for not storing their encrypted data in plain text format. Pahwa also expressed concern over manipulation of plain text data by hackers.

Another term that stirred a controversy is that in case of communication with any foreign entity, the primary responsibility of providing readable plaintext along with the corresponding encrypted information shall rest on the business or citizen located in India. Additionally, service providers located within and outside India, using encryption technology for providing any type of services in India, must enter into an agreement with the government.

This is seen as impractical as there are many service providers around the world that use encryption. It would seem highly unrealistic if all of these are required to enter into an agreement with the Indian government.

What invited further criticism is that the government proposed to prescribe the algorithms and key sizes for encryption. This implies government control over all data.

No wonder then that the new draft policy was seen as totalitarian in nature, as it seemed to view every individual in the country as a potential criminal. Pahwa also raises some serious questions in Medianama about how the Indian government expects users to know about all the communication taking place from their devices, given that most of the communication today is via apps or social media platforms.

Then, how will users be able to figure out if their messages are encrypted or not, how will they be able to store the plaintext version of the encrypted communication for 90 days, and on top of that, keep it away from potential hackers.

The government first issued an addendum to the draft policy, but later decided to redraft it.

Close